# create a new proxy server

- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=proxies:proxies_stg:!proxy05.fedoraproject.org:!cloud_aws"

- name: make the box be real
  hosts: proxies_stg:proxies
  user: root
  gather_facts: True

  vars_files:
   - /srv/web/infra/ansible/vars/global.yml
   - "/srv/private/ansible/vars.yml"
   - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml

  pre_tasks:
  - include_vars: dir=/srv/web/infra/ansible/vars/all/ ignore_files=README
  - import_tasks: "{{ tasks_path }}/yumrepos.yml"

  roles:
  - base
  - { role: openvpn/client,
      when: env != "staging" }
  - ipa/client
  - rkhunter
  - nagios_client
  - collectd/base
  - sudo
  - rsyncd
  - { role: mirrormanager/mirrorlist_proxy,
      when: env == "staging" or "'mirrorlist_proxy' in group_names" }
  - apache
  - role: zabbix/zabbix_agent
    when: env == "staging"

  tasks:
  - import_tasks: "{{ tasks_path }}/motd.yml"

  # You might think we would want these tasks_path on the proxy nodes, but they
  # actually deliver a configuration that our proxy-specific roles below then go
  # and overwrite... so, let's just leave them out.
  #- import_tasks: "{{ tasks_path }}/apache.yml"
  #- import_tasks: "{{ tasks_path }}/mod_wsgi.yml"

  - name: set ip_conntrack_max to a high value as the proxies deal with lots of connections
    sysctl: name=net.nf_conntrack_max value=26214400 state=present sysctl_set=yes reload=yes

  handlers:
  - import_tasks: "{{ handlers_path }}/restart_services.yml"


  # TODO
  #
  # - fedora-web::build (bapp0*)
  # - fedora-docs::build (bapp0*)
  # - review-stats::build (bapp0*)
  # - membership-map::build (bapp0*)
  #
  ## TBD
  # - sysctl ip_conntrack_max bits  - do we still need this on rhel7?
  # - semanage ports.. we're likely going to need one for every app.
  # - sebooleans.. let's try running first, see what gets blocked, and then
  #                selectively enable where semanage port fails
  #
  ## Not going to do
  # - smolt::proxy -- note going to do this.  smolt is dead.  long live smolt.
  # - domainnotarget stuff - only smolt used this


- name: Set up the proxy basics
  hosts: proxies_stg:proxies
  strategy: free
  user: root
  gather_facts: False

  vars_files:
   - /srv/web/infra/ansible/vars/global.yml
   - "/srv/private/ansible/vars.yml"
   - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml

  handlers:
  - import_tasks: "{{ handlers_path }}/restart_services.yml"

  pre_tasks:

  roles:
  - httpd/mod_ssl
  - httpd/proxy
  - varnish
  #
  # Re-run hosts here so things are ok for the haproxy check
  #
  - hosts
  
  tasks:

# After setting up the "basics" of the proxy hosts above, here below we break
# out the proxy-specific configuration into a couple different sub-playbooks.
# Othewise, this file would be unbearably long.

- import_playbook: /srv/web/infra/ansible/playbooks/include/proxies-certificates.yml
- import_playbook: /srv/web/infra/ansible/playbooks/include/proxies-websites.yml
- import_playbook: /srv/web/infra/ansible/playbooks/include/proxies-fedorahosted.yml
- import_playbook: /srv/web/infra/ansible/playbooks/include/proxies-fedora-web.yml
- import_playbook: /srv/web/infra/ansible/playbooks/include/proxies-haproxy.yml
- import_playbook: /srv/web/infra/ansible/playbooks/include/proxies-reverseproxy.yml
- import_playbook: /srv/web/infra/ansible/playbooks/include/proxies-rewrites.yml
- import_playbook: /srv/web/infra/ansible/playbooks/include/proxies-redirects.yml
- import_playbook: /srv/web/infra/ansible/playbooks/include/proxies-miscellaneous.yml

- name: Make sure we are deployed fully
  hosts: proxies_stg:proxies
  strategy: free
  user: root
  gather_facts: False

  vars_files:
   - /srv/web/infra/ansible/vars/global.yml
   - "/srv/private/ansible/vars.yml"
   - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml

  handlers:
  - import_tasks: "{{ handlers_path }}/restart_services.yml"

  pre_tasks:
  #
  # If this is an initial deployment, we need the initial ticketkey
  # If it's not, doesn't hurt to copy it over again
  #
  - name: deploy ticket key
    copy: src=/root/ticketkey_{{env}}.tkey dest=/etc/httpd/ticketkey_{{env}}.tkey
          owner=root group=root mode=0600
    notify:
    - reload proxyhttpd

  #
  # If this is an initial deployment, make sure docs are synced over.
  # Do not count these as changed ever
  #
  - name: make sure docs are synced. This could take a very very very logtime to finish
    shell: /usr/local/bin/lock-wrapper docs-sync "/usr/local/bin/docs-rsync" >& /dev/null
    changed_when: false
    ignore_errors: true

  - name: make sure selinux contexts are right on srv
    command: restorecon -R /srv
    changed_when: false
